Ransomware Roundup 02.13.23

Written by
Halcyon Team
Published on
February 13, 2023

New ESXiArgs Ransomware Version Targeting VMware ESXi Users

There are reports of a second wave of ransomware attacks after the operators updated the malware to encrypt flat files in an effort to fix a bug in their encryption algorithm that allowed the development of recovery script. The script was released by CISA after the first wave of attacks, but it will be ineffective on servers infected with the latest version of the ESXiArgs variant.

Late last week, widespread automated ransomware attacks impacted thousands of vulnerable VMware ESXi servers using the novel ESXiArgs ransomware. The updated version of the ransomware is more disruptive to victim organizations because it is capable of encrypting more file types, making it more difficult to remediate.

This wave of ransomware attacks have been targeting VMware ESXi virtual machines that are still at risk from a two year old vulnerability for which a patch has been available for some time. Victim organizations who fall prey to attackers due to vulnerabilities that have published patches often come under criticism for not having applied them in a timely manner. But sometimes patching presents issues themselves.

“Patching systems like VMware can be highly complex for some organizations. In order to avoid breaking critical business systems, patches often need to be applied in the development and tested prior to production, said Jon Miller, CEO and Co-founder at ransomware prevention specialist Halcyon.

“Even then, some issues prevent patching due to legacy systems/software or internal (home-brewed) scripts/applications that will break if the patch is applied. Thus, there can be months+ of work to do before they can be protected, greatly contributing to the large number of vulnerable ESXi/VMs/servers.”

CISA (the Cybersecurity and Infrastructure Security Agency) released a script that was effective in remediating against the first version of the ESXiArgs ransomware, but the agency included an exclamatory “no warranty” warning along with it.

"CISA releasing a script with no guarantee applying it will solve the issue for impacted organizations to regain access and control of their VMWare servers is a statement,” Miller continued. “It is rare for CISA to release a tool like this, and shows the level of concern surrounding ransomware operators moving to target beyond traditional corporate endpoints."

Takeaway: recovery from a ransomware attack is exceedingly difficult, and even agencies charged with protecting organizations and offering guidance for defending and responding to these attacks are still struggling to deliver a consistent and effective strategy. With the cost of responding to a ransomware attack running well into the millions of dollars per event, preventing a ransomware attack from being successful in the first place is the only viable strategy.

New Cl0p Variant Targets Critical Linux System

The infamous Cl0p ransomware group released a new variant that targets critical Linux systems. While this first version of Cl0p for Linux was found to be riddled with bugs and easy to remediate, as we know from experience the developers are going to follow on with debugged versions that could wreak havoc on some very key systems and cause some major disruptions.

"The 'always on' nature of Linux systems provides a strategic beachhead for moving laterally throughout the network, so targeting Linux systems would allow the threat actors to brick the most sensitive parts of an organization's networks, which means the attackers can demand a higher ransom,” said Jon Miller, CEO and Co-founder at ransomware prevention specialist Halcyon.

“Cl0p is a dangerous ransomware family because it has advanced anti-analysis capabilities and anti-virtual machine analysis to prevent further investigations in an emulated environment, such as sandboxing.

Typically ransomware attackers focus on the Windows OS since it has the most market share – they have ROI to think about  too when choosing where to put their development resources. While Linux has a tiny footprint in desktop computing, it runs ~80% of all web servers, the majority of smartphones, 100% of the top 500 supercomputers, and a large portion of embedded devices which hold the most sensitive data of all.

Linux is favored by large network applications and data centers that drive most of the U.S. government and military networks, financial institutions, and even the backbone of the internet. So, while there are comparatively few Linux targets, what targets there are potentially extremely lucrative for an attacker.

Takeaway: Ransomware operators continue to advance their skillsets, improve the efficacy of their infection vectors and payloads, and continue to heavily invest in recruiting and retaining new talent, growing and expanding their illicit business operations and capabilities at an astounding pace. Legacy antivirus, NGAV and EDR tools were simply not designed to address the unique threat that ransomware presents, and this is why we keep seeing destructive ransomware attacks circumvent these general application solutions – this issue will be compounded by the fact that security offerings for Linux systems are immature at best.

Five Guys Hit by BlackCat/ALPHV Ransomware

The BlackCat/ALPHV ransomware gang posted the popular burger chain Five Guys on its data leak site along with what was purported to be proof of sensitive data exfiltration as part of a Double Extortion scheme to incentivize payment of the ransom demand.

It is assessed that the threat actors may have accessed sensitive company data including banking information and payroll info, as well as recruiting data and other sensitive information. Attackers previously hit Five Guy‘ that exposed employee data and subsequently led to a lawsuit against the fast food chain stemming from financial fraud associated with the data lost in the attack.

Takeaway: The exfiltration of sensitive data means that even with a robust cyber resilience program and data backups to assist in recovery efforts, organizations face additional risk from the exposure of internal communications, trade secrets, R&D assets, intellectual property and more, and that risk can extend to other organizations as the valuable information is leveraged in other criminal acts.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.

Subscribe to receive the latest blog posts to your inbox every week.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Related Posts

See All Blog Posts

Ransomware Roundup: 05.22.23

This week in ransomware news: Ransomware Shutters Philadelphia Inquirer; Bl00dy PaperCut Vulnerability Exploit; US Sanctions Ransomware Operator...

Read the Blog

Ransomware Roundup: 05.15.23

This week in ransomware news: White House Weighs Ban on Ransom Payments; Novel Cactus Ransomware Abuses VPNs; Akira Emerges with Ransom Chat Channel...

Read the Blog

Ransomware Roundup: 05.08.23

This week in ransomware news: ALPHV Monitored IR Communications; Ransomware Operators Automate Exploits; AvosLocker Broadcasts to Victims...

Read the Blog

The Halcyon Platform

Halcyon is the industry’s first dedicated, adaptive security platform focused specifically on stopping ransomware attacks. Halcyon is built by offensive security experts to stop attackers. Our platform is a lightweight agent that combines multiple proprietary advanced prevention engines along with AI models trained solely on ransomware.

Ready to get a demo? Fill out the form and let’s talk!

Get a Demo

Meet with a Halcyon Anti-Ransomware Expert

Cookie Consent

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.